URGENT! Need to close open relay

kcackler · April 5, 2007, 9:05pm

OK, in setting up webmin/virtualmin/postfix/server, I managed to set postfix up to run as an open relay. Obviously this is not wanted (machine is being attacked right now to send out thousands of emails…)
The following is my postconf. Please help me close postfix to further attacks…

[pre]alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

broken_sasl_auth_clients = yes

canonical_maps = hash:/etc/postfix/canonical

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

html_directory = no

inet_interfaces = all

mail_owner = postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

mydestination = localhost.$mydomain, $mydomain, $myhostname

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

sample_directory = /usr/share/doc/postfix-2.3.3/samples

sender_canonical_maps = hash:/etc/postfix/canonical

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

unknown_local_recipient_reject_code = 550

virtual_alias_maps = hash:/etc/postfix/virtual[/pre]

Joe · April 5, 2007, 10:15pm

Hey Kevin,

I don’t see any rules in that list that would open Postfix, as it is closed by default.

You’re going to want to look at smtpd_recipient_restrictions. In the vast majority of cases, the following will do what you want:

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

kcackler · April 5, 2007, 10:31pm

That’s what several server admins have told me…they see nothing wrong with it, but it is inherently open. I just adjusted the recipient_restrictions and was still able to telnet in and send mail unauthorized.

What would you recommend in this case? Is there a walkthrough somewhere on setting up postfix to work with virtualmin and virtual domains so that I could uninstall and then reinstall following steps? What screwed up my installation was that I had to make weird changes to get it to work like I wanted and I’m afraid of uninstalling and losing those changes…

DanLong · April 6, 2007, 12:34pm

The most expdient solution would be to shut down telnet, then, I suppose

kcackler · April 6, 2007, 2:19pm

Unfortunately, that did no good. DNSReport still shows the server as an open relay…

DanLong · April 6, 2007, 5:13pm

I don’t use postfix, but you should be able to set postfix up for SMTP by authentication only. Check your SMTP options

make sure "Allow untrusted routing" is set to no and set HELO to yes

kcackler · April 6, 2007, 5:45pm

OK, after having another server administrator look at it, and having him be unsuccessful at closing it, I’ve decided to scrap postfix and restart, getting help along the way.

Let me explain how I need the users set up:

This server hosts multiple (read hundreds) of domains. Naturally, each of these domains needs email access. Therefore, creating a simple ‘user’ unix user will not work here. Instead we must create a user@domain user and a user-domain user (we must create two users because postfix doesn’t like the users to have user@domain type usernames). Mail is stored in a file called user-domain

I had all of this working before (after lots of hacking and whatnot) but had also somehow opened up postfix. I’ve uninstalled postfix and now reinstalled, and we’re working with a clean slate. What is the first step I need to take here to get the following things working:

Have postfix accept mail for all of these domains on the server
Have postfix allow authenticated sending for all users, using the user@domain login form

This is quite urgent, so any help and/or walkthroughs you have will be helpful.
Kevin

kcackler · April 6, 2007, 5:50pm

Just a quick update here. By adding the following lines (from my old main.cf), I’ve now got postfix accepting POP3 and SMTP logins for all of the users on the box. (and we’re still a closed relay) Now the only thing failing is that any mail sent to a user is bounced. Ex: If I send mail to kevin@domain.com, it bounces saying that postfix couldn’t find the user kevin…Obviously it’s just looking for the part before the @ for the user…How do I tell it to look for the full address as the u ser?

kcackler · April 6, 2007, 5:54pm

Oops…the lines were:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client xbl.spamhaus.org

DanLong · April 6, 2007, 5:54pm

THis is one of the reasons I stay with Sendmail, frankly.

Joe · April 6, 2007, 11:01pm

Hey Kevin,

Sounds like you’re missing the virtual map.

Add this line:

virtual_alias_maps = hash:/etc/postfix/virtual

This file needs to know about all of your users. If you already have a file (I assume since things were working before?), you’ll just need to restart postfix to have it pick up the change. If you don’t already have the file, you’ll need to generate it. You can probably use the batch capabilities in Virtualmin to do so.

kcackler · April 6, 2007, 11:20pm

I thought about that earlier and re-added that line and restarted, all to no avail. Does virtualmin adjust this file when I add/delete email addresses? If not, I had it working some other way, because i never adjusted that file after the initial setup, but all emails continued to work…

This is something very simple I know. I have a feeling that if I added one line to that file and then rebuilt the postmap that things would work…Anybody know what the syntax for adding a line is?
Kevin

kcackler · April 6, 2007, 11:25pm

OK - We’re so close it makes me sick…
I added the following mapping via webmin–>postfix–>virtual domains…

Map kevin@thatscriptguy.com to kevin-thatscriptguy.com

Was able to send a mail to that address and retrieve it without a problem…AWESOME!

Now the problem, of course, is
A)How do I add all of the already created email addresses to this database
B)How do I make virtualmin create this mapping when I create a new email address?

So close…
Kevin

kcackler · April 7, 2007, 2:02am

This thread is being continued in a new thread that better described my current problem…

Joe · April 8, 2007, 6:15pm

Hey Kevin,

Glad to hear things are shaping up.

Let’s address these in reverse order, because I’m hoping you’ve got a backup of the “virtual” file somewhere.

B)How do I make virtualmin create this mapping when I create a new email address?

That’s what Virtualmin does. There’s no way to configure it not to if you’re using postfix. Thus, the reason it was working before was that Virtualmin had created all of the necessary virtual map file entries for you. If you have the virtual file from before you blew away your installation, you can just copy it back into place and regen the postmap. You do have backups, right? (I’m afraid I already know the answer…nobody keeps backups. We’ve really gotta work on making the backup features easier to use, since no one seems to use them as they are now.)

Otherwise, we’ll need to import all of the existing users. Which brings us to:

A)How do I add all of the already created email addresses to this database

I’m not sure, off-hand.

There’s an easy way to import whole domains, including mailboxes based on group membership (this probably only works if your system uses groups the way Virtualmin expects)…but I don’t know if there’s a super easy way to import just users. There’s a batch create mode to the users and groups module, but it doesn’t get the Virtualmin stuff. I’ll poke around and see what we can do.

kcackler · April 8, 2007, 6:19pm

To be quite honest Joe, I’ve already re-added 90% of the email address mappings by hand. So making virtualmin batch add them isn’t much of a priority for me, at least, anymore. My main issue is that postfix isn’t accepting mail unless I explicitly tell it to accept mail for domains x, y, and z in the virtual_alias_domains parameter. I thought it pulled the domains from the virtual_alias_maps, but I guess i was wrong there.

So basically - I’ve got it working like I want, but I’m having to remember to add each virtual domain to that parameter. I figured virtualmin updated a file somewhere, but I’ve been unable to find it if it does…
Kevin

Joe · April 8, 2007, 6:25pm

Hey Kevin,

Virtualmin does set this stuff up, and you don’t need a virtual_alias_domains directive if virtual_alias_maps are configured correctly.

Perhaps you’re missing the domain definition line? It’s just the domain name without any username attached, like:

virtualmin.com virtualmin.com

Every domain has to have an entry like this, or I believe you’ll get the behavior you’re seeing. (I believe this is equivalent to using virtual_alias_domains directly, but Virtualmin can and does manage it for you.)

Joe · April 8, 2007, 6:25pm

BTW-That line appears in /etc/postfix/virtual

kcackler · April 8, 2007, 6:35pm

AHA! Right you are my friend. I need to add a mapping for each domain to domain and voila, it is accepting mail for the domains again.

Edit - You’ll never guess what I just found…My old virtual database. Copied it over and regenerated the postmap and we’re in business

Thanks for your help Joe.

sgrayban · April 9, 2007, 8:46am

This thread is a perfect example why to use sendmail instead.

Sorry but postfix is the most confusing mail server I have ever had to deal with. There is nothing logical when setting it up.